[Serdev] auth_radius module problems in pre39
Maxim Sobolev
sobomax at portaone.com
Fri Jul 11 21:00:06 UTC 2003
Any progress on this?
-Maxim
Jan Janak wrote:
> Maxim,
>
> I'll comment it on Thursday, I am terribly busy now.
>
>
> Jan.
>
> On 08-07 22:58, Maxim Sobolev wrote:
>
>>Folks,
>>
>>Following is the list of problems we encountered in the auth_radius
>>module found in the 0.8.11pre39 snapshot:
>>
>>1. Nonce validation apparently doesn't work. I've verified that the
>>nonce in client's authenticated request is the same as one send by ser
>>in the Unauthorized reply, but check_nonce() fails, I am getting
>>"Invalid nonce value received, very suspicious" in the log and the auth
>>fails. I've commented check_nonce() call and it now works like a charm.
>>
>>2. For some unclear reason, auth module now compares hostname in the
>>request URI with realm provided in the appropriate auth header and
>>rejects auth if they do not match. This basically makes realm argument
>>in *_challenge() and *_authorize() functions totally useless as user
>>will be unable to select anything but SER's IP or SER's hostname there.
>>IMO this restriction have to be removed or at least conditionalised on
>>some config variable.
>>
>>My auth-related config looks like the following, I did not set any
>>auth-related parameters in the config (secret and so on), leaving them
>>on their default values.
>>
>> if (!radius_www_authorize("")) {
>> www_challenge("", "0");
>> break;
>> };
>>
>>
>>Thanks!
>>
>>-Maxim
>>
>>_______________________________________________
>>Serdev mailing list
>>serdev at lists.iptel.org
>>http://lists.iptel.org/mailman/listinfo/serdev
>
>
> _______________________________________________
> Serdev mailing list
> serdev at lists.iptel.org
> http://lists.iptel.org/mailman/listinfo/serdev
>
>
>
More information about the Serdev
mailing list